For Home

Virus Profile: PWS-Bancban

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 10/17/2003
Date Added: 12/1/2003
Origin: Unknown
Length: 241,664 bytes
Type: Trojan
Subtype: Password
DAT Required: 4299
Removal Instructions
   
 
 
   

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

  • Presence of the file and registry entry mentioned above
  • Abnormal e-mail connections to @hotpop, this is normally not transparant for the user.
  • System performance slowdown

Methods of Infection

  • Manual execution of the file starts the keylogging.

Aliases

PWS-IO, PWSteal.Banpaes (Symantec), TrojanSpy.Win32.Banpaes (Kaspersky)
   

Virus Characteristics

PWS-Bancban was added in October 2003 to detect a malicious file called win32dll.exe. The filesize is 241,664 bytes, the file is written using Borland Delphi and is internally compressed with UPX.

Selected information from the user is captured and transferred by e-mail using smtp engine to an @hotpop.com e-mail address, the exact address omitted on purpose. The password stealer is specifically looking for information from banking, searching for Banco, HSBC, Banespa, ITAU, Bank etc.

Upon execution it copies itself to the "windows" directory and to automatically load itself at the next startup it makes a standard "win32dll" registry entry under

  • Software\Microsoft\Windows\CurrentVersion\RunService
  • Software\Microsoft\Windows\CurrentVersion\Run

Variants

Variants information
Virus Name Type Subtype Differences
PWS-Bancban.b Trojan Password During november 2003 another variant of PWS-Bancban was discovered.

Included malicious files are:
-b.exe , 397519 bytes
-setup.exe , 122880 bytes.
-win32dll.exe , 635904 bytes
-wmsys32.exe , 655872 bytes

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.